Apple + Security & Privacy

Apple releases iOS 12.1.3, macOS Mojave 10.14.3, and more security updates

Posted on January 23rd, 2019 by

This week Apple released updates for its iOS, watchOS, tvOS, and macOS operating systems, as well as for Safari for macOS and iCloud for Windows. Let's take a look at what's new—both in terms of bug fixes and security improvements.

iOS 12.1.3

Apple's release notes listed iOS 12.1.3 as an update that:

- Fixes an issue in Messages that could impact scrolling through photos in the Details view
- Addresses an issue where photos could have striped artifacts after being sent from the Share Sheet
- Fixes an issue that may cause audio distortion when using external audio input devices on iPad Pro (2018)
- Resolves an issue that could cause certain CarPlay systems to disconnect from iPhone XR, iPhone XS, and iPhone XS Max

This release also includes bug fixes for HomePod. This update:

- Fixes an issue that could cause HomePod to restart
- Addresses an issue that could cause Siri to stop listening

But there is more going on under the hood of course, including more than 31 security fixes. Here are a few notable ones:

Bluetooth
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: An out-of-bounds read was addressed with improved input validation.

CoreAnimation
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.

FaceTime
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A remote attacker may be able to initiate a FaceTime call causing arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.

As you can see, some effort was put into making sure malicious applications and remote attackers cannot have their way with your data. At the core of the operating system, the kernel also received some attention; six issues were addressed that could have allowed a malicious application to access shared memory or run code with elevated privileges.

Safari and many other parts of the operating system rely on the WebKit framework, and as usual, there is no shortage of WebKit related fixes in this release; nine issues were patched in total.

With more than 31 security related issues addressed, iOS 12.1.3 is an update that should be installed sooner rather than later. As always, back up your iOS device prior to updating just in case something does not go as planned.

The full list of security fixes can be found here. iOS users can update by going to Settings > General > Software Update on their devices, or by connecting the device to their computer where iTunes can download and install the update.

watchOS 5.1.3 and tvOS 12.1.2

Apple released OS updates for Apple Watch (Series 1 and later) and for Apple TV (fourth and fifth generation), with seemingly no reported non-security features or fixes—but there are 17 or 24 reasons to update, respectively.

Most of the issues addressed in watchOS and tvOS are the same as those addressed in iOS. To read the details, you can find the security content information at the below links:

About the security content of tvOS 12.1.2
About the security content of watchOS 5.1.3

The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

The watchOS update can be installed by connecting the Apple Watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Safari 12.0.3 for macOS

Safari 12.0.3 (available for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3) brings no new features but addresses ten security issues, mostly focused on WebKit.

The list of security fixes that were addressed can be found here. To install this update, visit the Updates tab of the App Store app on macOS High Sierra or Sierra, or on Mojave go to Apple menu > System Preferences... > Software Update.

macOS Mojave 10.14.3, Security Update 2019-001 High Sierra and Security Update 2019-001 Sierra

Listed simply as updates that "improve the security, stability and compatibility of your Mac," no new features were announced for Mojave users, but between the three macOS versions, at least 23 security issues were addressed in total—of which 18 are for Mojave, 16 are for High Sierra, and 12 are for Sierra. Some of these fixes include:

FaceTime
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.2
Impact: A remote attacker may be able to initiate a FaceTime call causing arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.

Bluetooth
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.2
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: An out-of-bounds read was addressed with improved input validation.

Hypervisor
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved state management.

Intel Graphics Driver
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A memory consumption issue was addressed with improved memory handling.

Some Macs with a T2 chip reportedly also received an EFI firmware update.

Apple's full list of security related fixes for the update can be found here.

macOS Sierra and High Sierra users can find the security update in the App Store app under the Updates tab. Mojave users should visit the Software Update pane in System Preferences (Apple menuSystem Preferences... > Software Update) instead; on Mojave the App Store app will no longer list operating system updates.

Whether you're using iOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

iCloud for Windows 7.10 and iTunes 12.9.3 for Windows

Last but not least, for users of Apple products who also use Microsoft Windows, Apple released iCloud for Windows 7.10 which addresses a dozen WebKit and SQLite vulnerabilities. More information on the update can be found here.

UPDATE: On Thursday, Apple also released iTunes 12.9.3 for Windows, addressing the same dozen vulnerabilities and two others. More information can be found here.

How can I learn more?

Each week, Intego's Mac experts talk about the latest Apple security news on the Intego Mac Podcast, so be sure to subscribe to make sure you don't miss any episodes. You'll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →